Has anybody created a device specific IP address file (ipaddr.tab) to properly identify inbound versus outbound network traffic for reporting purposes.
I am trying to do that but it does not seems to be working.
Any inputs regarding this???
There are a few tricks to using the ipaddr file.
1) follow the information in the online help file to check the format.
2) If the format checks out but you don't see the caterory or department fileds in your reports, check to make sure that you have the DNS resolution box check for your reports.
3) You may have to copy and modify any canned reports to select the DNS option.
Here's a sample file I used to show when I taught enVision classes (attached).
Keep in mind that with complex networks, the concept of "inbound" or "outbound" can become a VERY relative term, so depending on where your event sources exist in your network this can produce some unexpected results.
This file is more commonly used nowadays to just populate the Department and Category fields found in certain enVision reporting tables.
Attached is the ipaddr.tab file for one of my Checkpoint FW.I have defined here the outbound range for this particular FW.
After creating the ipaddr file for this FW, I am able to generate the Ad Hoc Reports like "Check Point FireWall-1 / FireWall-1 - Top 20 Denied Outbound by Address" and "Check Point FireWall-1 / FireWall-1 - Denied Outbound Traffic by Address" and "Check Point FireWall-1 / FireWall-1 - Denied Outbound Traffic by Port", which was not possible earlier.This report gives me the 'Local Address' in the range of '172.28.128.1 - 172.28.191.254'.
Now when I run the inbound reports like "Check Point FireWall-1 / FireWall-1 - Denied Inbound Traffic by Address", it still shows me the IP addresses in the range of '172.28.128.1 - 172.28.191.254' as 'Foreign Address'.
Now I am not able to understand why it is showing me the already defined outbound address range in these inbound reports?
You might want to consider addressing this with the support group. They have probably seen this issue & can give you the help you need.
firstname.lastname@example.org or (781)515-7700
I have already addressed this with the support group.
For your reference see Case #C0869688
Does this mean your problem was resolved? Or were you hoping you might get some additional help from this forum?
Yes you are right. I was hoping to get some additional inputs from other users through this forum.
Also, I would like to tell you that the problem has not been resolved yet.
Thanks MJ. Please follow-up with Support to check the status. It may be a tough issue to resolve quickly.
Which enVision Tables are these?
I don't have a handly list of all of the tables that contain them, but one example is the Firewall Accounting table.
Pull it up in the Query tool and scroll to the right through the field list and you will eventually find:
Is it a fair assumption that should the ipaddr.tab be used to populate department and categories, that these should be populated for any device type in the appropriate tables where Department1, Category1 etc. are located within?
That's what I thought too, except I tried it on a few device types and found that some don't actually populate the Department and Category fields within the Global Table (which contains these attributes.) One device type as an example is Linux.
Is this therefore dependent on something else, perhaps relating to the parser? (Though I don't see how..)
Retrieving data ...